Solved: Get the value of a dynamic name field

ivan5593 · ‎03-09-2023

Hello,

I'm having an issue with a field search. I have a lookup where I specify for every sourcetype which field is relevant in order to create a ticket. Let's say the csv as the following:

sourcetype,field
sourcetypeA,host
sourcetypeB,dest

Then, I do a lookup to have this field into an unique field accross the sourcetype:

index=test
| lookup fields_relation sourcetype OUTPUT relevant_field
| eval relevant_host = 'relevant_field'

What I want now is to do an eval and set the value of this relevant_field (e.g. For the sourcetypeA I want a variable named relevant_host with the value of host variable). But all the tries let me to only have the string 'host'.

I tried do an eval sorrounding the variable between '' with no luck. Still the string field.
How can I get the variable value?

Thank you!

ITWhisperer · ‎03-09-2023

Try something like this

| makeresults 
| eval host="A"
| eval dest="B"
| eval relevant_field="dest"
| eval new_{relevant_field} = "default"
| foreach new_*
    [| eval <<FIELD>>=<<MATCHSEG1>>]

View solution in original post

ITWhisperer · ‎03-09-2023

Try something like this

| makeresults 
| eval host="A"
| eval dest="B"
| eval relevant_field="dest"
| eval new_{relevant_field} = "default"
| foreach new_*
    [| eval <<FIELD>>=<<MATCHSEG1>>]

ivan5593 · ‎03-09-2023

It worked like a charm! Thanks

Get the value of a dynamic name field

fields

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

Get the value of a dynamic name field

fields

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits